balinterdi / only_owner

Description:	A Rails plugin to facilitate access management of owner-type controller actions edit
Homepage:	edit
Public Clone URL:	git://github.com/balinterdi/only_owner.git Give this clone URL to anyone. `git clone git://github.com/balinterdi/only_owner.git`
Your Clone URL:	git@github.com:balinterdi/only_owner.git Use this clone URL yourself. `git clone git@github.com:balinterdi/only_owner.git`

by default, only the edit, update and destroy actions are protected

balinterdi (author)

Fri May 01 05:40:03 -0700 2009

commit 68807cbed50c379d53576e4d182a3e50f9751eb2
tree e99c79ab630926a53e8d13f0392bc06ab68e0b5a
parent 64b780d9f4d7c50ca82bc84e3101683a0bc6f9f3

only_owner /

	name	age	history message
	MIT-LICENSE		Loading commit data...
	README.markdown
	Rakefile
	init.rb
	install.rb
	lib/
	tasks/
	test/
	uninstall.rb

README.markdown

only_owner

The plugin aims to leverage the recurring -and thus tedious- task of granting access only to the owner of a resource. (e.g a user profile). Most of the time all actions of a controller with the exception of the new-create action and possibly the index and show actions should be allowed only for the owner of the record.

Installation

only_owner is a Rails plugin so installing it is as easy as this (supposing you are in the root of your Rails app):

./script/plugin install git://github.com/balinterdi/only_owner.git

How does it work?

The plugin provides an only_owner class method for ActionController which will deny access (redirect to the login page) to protected actions for non-owners. It does this through adding a before_filter to the chain.

The plugin supposes a few things about the available methods:

a current_user method is in scope in the controller and that it returns the currently active user of nil if no user is logged in. Another method can be given by passing the :current_user option.
a find_<model_name_singular> is in scope and it returns the model instance the user is fetching. This only makes sense for actions that operate on a given resource (edit, update, show, delete, destroy) but most of the time it is these actions that should be protected anyway. Another finder method can be used by specifying the :finder parameter.
the resource model has an association called "user" that links it to its owner. This name can be overridden by providing an :owner parameter which points.

The plugin supposes that all methods of the controller except the new, create, index and show ones need to be protected. If the actions to be protected differ from this, they can be specified with the following parameters:

:only => <actions> : only the specified actions should be protected
:except => <actions>: all actions except the specified actions should be protected

Examples

Profile belongs_to :user, there is a find_profile method in the controller, and the current_user method returns the user that is logged in:
```
class ProfilesController < ApplicationController
  only_owner
end
```
Profile belongs_to :user, there is a find_profile method in the controller, and the current_user method returns the user that is logged in. Only deletion is protected.
```
class ProfilesController < ApplicationController
  only_owner :only => [:destroy]
end
```

Same as 1., but the association linking the profile to the user is called owner

class ProfilesController < ApplicationController
  only_owner :owner => :owner
end

Same as 1., but the method returning the current user is logged_in_user

class ProfilesController < ApplicationController
  only_owner :current_user => :logged_in_user, :owner => :owner
end

Same as 1., but the method to find the profile is called get_profile

class ProfilesController < ApplicationController
  only_owner :finder => :get_profile
end

Contact

I appreciate any kind of feedback, be it a bug report (mostly welcome), praise, (constructive) criticism or feature proposal/request: balint@bucionrails.com